1. Field of Invention
This invention relates to bank cards, credit cards, debit cards, smart cards, communication cards, financial transaction cards, student cards, employee cards, medical cards, identification cards and any other card based system that requires an authorized user to recall and enter a code in order to gain access to a protected resource, information source or service. This invention is also related to non-card based systems such as Internet and Intranet access codes, computer codes, alarm codes, lock codes, wireless codes or any other non-card based code which requires an authorized user to enter a code in order to gain access to a protected resource, information source or service.
2. Description of Prior Art
As computers have become more predominant in everyday life, it becomes evident that business in the near future will be transacted, in a larger part, on the electronic superhighway or the Internet. The convenience of shopping the Internet and the utilization of e-commerce has already begun to permeate our lives. Credit card transactions and product orders on the Internet are now commonplace. However, along with this newfound convenience, system security, user identification, and validation of user identification remain legitimate and primary concerns for users of the current systems.
The immediate solution to these security issues and concerns is the multitude of PIN codes, passwords and passcodes that have been issued to secure the totality of our protected resources. In other words, Internet and credit card users are becoming overwhelmed with well-intended security codes. Even though passcodes (passwords which do not form recognizable words) are extremely secure, attempts to recall a meaningless jumble of upper and lower case characters is unrealistic and impractical for most users. The avalanche of PINs, passwords and passcodes has become so crushing that many users often breach the intended security by writing these codes in convenient places which are easily available to both the authorized and unauthorized user.
In today's marketplace, four requirements are paramount in granting access to an authorized user of a protected resource: (1) authorized user identification, (2) verification of authorized user identification, (3) unauthorized user access rejection and (4) an appropriate level of security to protect the resource from unauthorized use. For example, when a user (authorized or unauthorized) wishes to withdraw funds from an Automated Teller Machine (ATM), a bank card is inserted into the ATM and the "card" is identified via data transferred from a magnetic strip or an electronic chip within the card to a system database. To verify that the user is the authorized user of the bank card inserted into the ATM, the ATM prompts the user to enter a Personal Identification Number (PIN) which is only issued to the authorized user by the grantor of the bank card. If the PIN entered by the user is identical to the PIN issued to the authorized user and also recorded in system database memory, the user is verified as the authorized user and the transaction is allowed to proceed. The security afforded by this transaction involves possession of the bank card issued to the authorized user, knowledge of the PIN code, an upper limit cash demand and card deactivation if a consecutive series of incorrect PINs are entered into the ATM system. Theoretically, this security system is adequate to prevent an unauthorized user from gaining access to an account, but unfortunately, unauthorized access to protected resources has become a billion dollar problem. The resolution of this problem lies in understanding the weaknesses of the present systems and how to effectively eliminate those weaknesses while simultaneously maintaining simplicity, security and efficiency.
As the PIN system of security became the standard for verification of an authorized user in both card and non-card based systems, authorized users were subsequently required to recall a plurality of PIN codes in order to gain access to protected resources and services. This problem of excessive recall was resolved on the user level by recording PIN codes in writing and carrying a copy for easy reference in a wallet or purse. However, this was a direct compromise of the intended security afforded by the PIN system and could result in easy unauthorized access to related accounts if the wallet or purse was stolen. The recall problem was addressed on the grantor level by allowing the use of personalized PINs. In this way, an authorized user could eliminate recalling a multitude of PIN codes by making all PIN codes identical. In other words, personalized PINs allowed an authorized user to utilize a single PIN code for all protected resources, and additionally, a PIN of personal choice. However, if the personalized PIN was easy to guess, such as the authorized user's birth date or phone number, an informed unauthorized user could gain access to all protected resources with a single intelligent guess. Today, the major disadvantage of personalized PINs is the requirement of identical code lengths with constant and unchanging characters, usually numerals. If unauthorized use of a resource is obtained by observing the PIN entry of the authorized user, said unauthorized user instantly gains access to all resources protected by said personalized PINs. Therefore, personalized PINs decrease the personal security of the authorized user due to the possible windfall associated with gaining unlawful possession of the authorized user's wallet or purse and subsequent access to all resources protected by personalized PINs. Gaining access to the Internet and e-commerce environments with an increased level of security has changed access code requirements with respect to code length and the alphanumeric mix of code characters. Since many intemet sites now require access codes of eight or more characters with a minimum of two numerals, or instead issue a code of their choosing of varied lengths, personalized PINs only resolved the excess PIN memory overload problem for a short period of time.
With the advent of the Internet and e-commerce, the security level intended by the four digit PIN code system was inadequate for the computer based environment and became obsolete overnight. PIN codes were replaced by passwords, or words in the authorized user's native language that were of sufficient length to increase security and that could be easily recalled. The password system increased the level of security, but eventually users were forced to record their passwords near the computer to avoid confusion with other passwords associated with a multitude of other applications and protected resources. The plurality of PINs, from the not so distant past, was replaced with a plurality of passwords. However, this new problem of too many passwords was resolved with software that allowed an authorized user to conveniently record their user log-on names and passwords in computer memory for automatic submission to the protected application or resource. However, if the computer was stolen or sold without erasing the codes, it became easy for an unauthorized user to gain access to all protected resource codes held in computer memory. Additionally, if an authorized user traveled on business and needed to use a protected resource which required the entry of an access code, and that code was only recorded in the memory of a home based computer, the user would be unable to gain access to that resource unless the correct code could be recalled. In other words, security was compromised for convenience and accessibility when codes were recalled by internal computer software.
Computer passwords have been replaced with passcodes that contain both numeric and alpha characters forming a non-word of an adequate length. This greatly increases the level of security, but if the highly secure passcodes are logged into computer memory for automatic submission as mentioned previously, the intended security level is also potentially diminished.
There are a multitude of examples depicting the limitations associated with human memory, code recall, and maintaining the intended level of security. Presently, there is no simple and effective system of authorized user verification with an adequate level of security to prevent unauthorized use, but attempts have been made to better the present systems with human limitations in mind.
Method and Apparatus for Improving Security Using a Access Codes, U.S. Pat. No. 5,239,583 by Parrillo is an attempt to increase system security by varying the four digit credit card PIN code in a predetermined sequence in order to thwart any attempt by an unauthorized user to obtain the PIN by observing the PIN key pad entry of the authorized user. Since the PIN entered by the authorized user was only valid for the transaction in progress, and since the PIN for the next transaction would be different, any attempt of unauthorized use by observing or recording the PIN and account number key pad entries of the authorized user would be in vain. This patent also utilized the standardized telephone key pad, and the accompanying alphanumeric designations, to aid in PIN recall. A four letter key word was chosen and referenced to the alphanumeric telephone key pad to aid in PIN recall. This type of mnemonic aid could become very complicated with multiple PINs requiring the authorized user to recall specific words for specific PIN codes. Security could be selectively increased by changing more than one numerical digit in the PIN as the code progressively changed in said predetermined sequence. However, to achieve increased security, the authorized user is required to recall complicated and unreasonable scenarios making the system highly impractical. Parrillo's patent did have some of the very important key features: transaction specific PINs that sequentially repeated and PIN code variation. My patent improves Parrillo's patent by requiring the authorized user to only recall a single sequential pattern to obtain a plurality of PINs from any standardized geometric configuration, eliminating the use of the alphanumeric telephone key pad, the associated key words as mnemonic aids, and elimination of complicated memory steps to increase security. Parrillo's invention uses complicated repeating sequences of PIN code numbers that must be recalled by the authorized user to increase system security at the expense of simplicity. A user must keep track of exactly how many times a plurality of cards and associated PINs have been used within a 24 hour period to maintain access to all accounts.
If a user forgets the complicated sequences or becomes confused, Parrillo's invention will prevent the authorized user from gaining access to their own protected resources, defeating the primary intention of authorized user access codes. My invention uses a single secret sequential pattern within a geometric matrix to recall all transaction specific PINs of varying code lengths across a plurality of protected resources. My invention provides a much greater level of security than Parrillo's invention by randomly changing PIN code characters and length within a single, unchanging sequential pattern. Parrillo's invention does not use sequential patterns or a geometric matrix and is not suited for the internet environment due to the underlying complicated nature associated with PIN code recall.
Telephone Based Credit Card Protection, U.S. Pat. No. 5,513,250 by McAllister is another attempt to increase PIN system security by permitting the authorized user to limit credit card or resource access by incorporating a specified set of temporary parameters such as time frame, geographical area, dollar limit and a temporary PIN into authorized user access requirements. In order for a transaction to proceed, all of the temporary parameter requirements specified by the authorized user had to first be satisfied. All temporary parameters were also to be defined on a per use basis by the authorized user. This system definitely increased PIN system security, but at the expense of the authorized user's time and energy. Since McAllister's patent required the authorized user to satisfy all predefined temporary parameter limits prior to card use, the proposed system is both very impractical and inconvenient. However, McAllister, like Parrillo, did propose the use of a temporary PIN to increase system security. My patent improves on McAllister's patent by requiring no authorized user involvement or inconvenience to enhance system security when using a credit card or accessing a protected resource on a use-by-use basis. McAllister's patent does not utilize a geometric matrix or a sequential pattern to recall PIN codes, and therefore, must rely upon the unreliable capabilities of human memory.
Personal Identification System, U.S. Pat. No. 5,251,259 by Mosley is a patent that increases system security by varying a three or four digit PIN with respect to the day of the week, the number of card uses in a particular day, and an alpha word key to indicate which columns of numbers within a matrix held the valid PIN. This system requires the use of a matrix decoder to obtain the correct PIN codes. If the authorized user were to lose the decoder or forget how many times the card was used in a particular day, even the authorized user could not gain access to the protected resource. Mosley's patent increased system security by making PIN recall extremely complicated and dependent upon possession of a decoding device. However, Mosley did have a clear vision of the problem of insufficient system security, and once again, resolved the problem by variation of the PIN. My patent improves Mosley's patent by incorporating a much higher level of security without requiring the authorized user to carry a decoding device and the associated complications of decoding a simple three or four digit PIN code. Also, my patent does not require the authorized user to remember how many times a particular protected resource has been accessed in order to properly decode the correct PIN. Mosley's invention uses a static geometric matrix where all matrix numerals are fixed and not capable of changing, and where no sequential pattern is utilized within said matrix. Mosley's matrix is index by the alpha abbreviations of the days-of-the-week at the top of the matrix and alpha characters at the bottom of the matrix. The visible character sequence of "S-M-T-W-T-F-S" is an indication to an unauthorized user that knowledge of the day-of-the-week is involved in the decoding process, which in itself lowers the overall security level of Mosley's invention. The numerals within Mosley's matrix are optimized to a range of 1 to 7 which correspond to the number of PIN code uses within a particular day. If the numerals within the matrix were increased to 10, the size of the Mosley's card containing the matrix would have to increase in size, or the print font would have to become smaller, and the authorized user would be required to keep track of a possible increased number of PIN code uses. The alpha characters at the bottom form a secret word or alpha character set used to decode the PIN. Also, Mosley's invention must use a different matrix card for each and every protected resource, requiring the authorized user to carry a plurality of Mosley matrix cards. Therefore, Mosley's invention requires an authorized user to recall a secret character set, have knowledge of the day-of-the-week, keep track of how many different times a plurality of credit cards have been used within a set period of time, and have physical possession of all cards containing the Mosley matrix. These Mosley requirements complicate rather than simplify the process of recalling a PIN code with increased security. My invention uses a single unchanging sequential pattern within a geometric matrix requiring an authorized user to recall only said sequential pattern to recall a plurality of PIN codes across multiple protected resources. My invention does not require the authorized user to have knowledge of the day-of-the-week or how many times a specific protected resource had been accessed within any time period. My invention further improves Mosley's invention by having the ability to adjust system security as follows: 1) by changing all characters within the geometric matrix for each and every transaction, 2) by changing all characters within the secret sequential pattern in random and non-repeating fashion, 3) by having the capability to adjust PIN code length on a transaction-to-transaction basis, 4) by not revealing any part of the decoding method such as days-of-the-week, and 5) by not requiring the authorized user to carry an ancillary device which could possibly lower system security if possessed by a clever unauthorized user. Mosley's invention is also not compatible with use on the internet environment where passwords and passcodes are commonplace.
Memory Aiding Device for Credit Card PIN Numbers, U.S. Pat. No. 5,742,035 by Kohut, uses a secret sequential pattern within a standardized geometric matrix to recall an authorized user's dedicated PIN code. Kohut's patent is not capable of using transaction specific PIN codes, and therefore, can only recall the same fixed PIN code on all transactions. Kohut's preferred embodiment is an encoded geometric matrix label that attaches directly to the surface of a authorized user's credit card allowing the authorized user to recall that card's dedicated PIN. Kohut simplified code recall by using a single secret sequential pattern chosen by the authorized user to recall a plurality of different fixed PIN codes across different credit cards and protected resources. However, Kohut's patent could not vary PIN code characters or PIN code length within the secret sequential pattern, thus limiting system security. My patent improves Kohut's patent by eliminating the use of dedicated PIN codes, passwords and passcodes by substituting transaction specific codes only valid for the specific transaction in progress, and for a limited period of time. Also, my patent permits a much higher level of system security through a combination of available positions within the geometric matrix, code length, code time out, and the use of transaction specific codes which are random, and therefore, immune to observation attempts of unauthorized users.
Credit Card Verifier, U.S. Pat. No. 4,016,404 by Appleton uses apertures inserted into the surface of a credit card which contain a scrambler code, a check sum and the authorized user's PIN code to verify the authorized user. Appleton's invention uses a single dedicated PIN code and does not have the capability to change codes from transaction-to-transaction limiting the overall security of the Appleton system. If an unauthorized user had possession of the Appleton credit card and had knowledge of the PIN code, the security would be completely compromised. Appleton does utilize a matrix of apertures in his invention, but no sequential pattern containing a changeable transaction specific PIN code is utilized, rather Appleton's matrix contains a single fix PIN code. The advantage of the Appleton invention is that interrogation of the system database is not required to verify the PIN code of the authorized user. My invention greatly improves upon the Appleton invention 1) by utilizing transaction specific PIN codes that constantly change, 2) by maintaining system security even if an unauthorized user has possession of the authorized user's credit card, 3) and by having the capability to access protected resources on the internet without the use of a physical credit card.
Computer Access Security Code System, U.S. Pat. No. 4,926,481 by Collins uses a single or multi dimensional geometric matrix, but does not use a randomly chosen sequential pattern chosen by the authorized user within said matrix. The purpose of the Collins invention is not to gain access to a protected resource by entering a PIN code, but rather to gain access by entering the correct response to a transmitted character set which corresponds to opposing corners of a specific geometry. The user must provide the character set from an identical geometric matrix which defines the remaining two corners of the said specific geometry. However, both the user and the grantor of the protected resource must be in possession of the required identical geometric matrices and have knowledge of the specific geometry being utilized. Collins does not use a secret sequential pattern within a geometric matrix, but the perimeter of a specified geometry, such as a rectangle, to create a pattern without any defined sequence. The Collins invention uses either single or multiple sets of codes which are obtained from different geometric matrices to adjust the security level, thus requiring the authorized user to rely upon detailed documentation to gain access to the protected resource. My invention does not require documentation to either adjust the level of security or to change the code and does not require the authorized user to be knowledgeable of specified geometry perimeters which may change form time-to-time. My invention simplifies code recall by utilization of a single secret sequential pattern not tied to any specific geometry and not requiring multiple matrices to increase the level of security. Our two inventions (Collins and my invention) use similar items such a patterns, matrices and transitional codes, but these devises have been used within the art for many years. The difference lies in design, implementation and requirements for use.
Memory Aiding Device, U.S. Pat. No. 5,246,375 by Goede uses a card containing a primary matrix of numbers which is perimeter indexed on the "X" and "Y" axis by alpha numeric characters arranged in ascending order and used as matrix position locators. A recording means with a transparent secondary matrix overlays the primary matrix for the purpose of decoding a specific PIN code associated with a single specific protected resource. Once said recording means is properly positioned on the surface of the primary matrix by a specific user recalled index code, dedicated secondary matrix positions highlighted by color form a decoding pattern which is visible to both the unauthorized and authorized users. Each protected resource will utilize the same index locator code, but each will also be required to have a unique secondary matrix containing a different pattern to decode a different specific PIN code. My invention improves upon Goede's invention 1) by requiring no ancillary device in the possession of the authorized user to recall or decode a PIN code, 2) by requiring the authorized user to recall only a single secret sequential pattern to decode a plurality of PIN codes across a plurality of protected resources, 3) by greatly increasing the level of system security by use of transaction specific codes and altered code length and 4) by being conducive to the internet environment. Since Goede's invention may render the authorized user access to a protected resource non existent if the primary or secondary matrices are lost, relying on Goede's device during travel may place the authorized at considerable risk.
In summary, all of the patents mentioned above are primarily designed to increase the present level of system security associated with protected resource code recall, such as PIN codes, passwords and passcodes. In many cases, system security was increased at the expense of practicality. The true nature of the code recall problem is that human beings do not remember numbers, words or a combination of alphanumeric characters for any length of time unless some form of constant reinforcement is applied. The true resolution of this problem is not to use numbers or alphanumeric characters as codes to gain access to protected resources, but to use something much more user friendly to the human brain: sequential pattern recognition. For example, the notes of song form an audio sequential pattern, and recall is effortless even over extended periods of time, and a forgotten phone number is often recalled as one recalls the phone keypad and the sequence of numbers previously depressed.